Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SAP Vulnerability Exposes Enterprises to Ransomware, Other Attacks

A remote code execution (RCE) vulnerability in SAP GUI (Graphical User Interface) exposes unpatched systems to malware attacks such as ransomware, ERPScan security researchers warn.

A remote code execution (RCE) vulnerability in SAP GUI (Graphical User Interface) exposes unpatched systems to malware attacks such as ransomware, ERPScan security researchers warn.

The flaw was discovered in December 2016, and SAP was informed on the issue the same month, yet a fix was released only as part of SAP’s March 2017 security updates. The flaw was found in SAP GUI for Windows 7.20 to 7.50, and was assessed with a High severity rating (a CVSS Base Score of 8.0).

SAP GUI is a platform that offers remote access to the SAP central server in a company network. To exploit the vulnerability and bypass SAP GUI security policy to execute the code, an attacker would have to use special ABAP (Advanced Business Application Programming) code.

According to ERPScan, a company specialized in securing SAP and Oracle applications, the vulnerability could allow an attacker to “access arbitrary files and directories located in an SAP-server filesystem, including an application’s source code, configuration, and critical system files.” Actors could use the bug to obtain critical technical and business-related information stored in a vulnerable SAP-system.

“When we open SAP GUI > Options > Security > Security Configuration > Open security configuration, we can see the list of rules which SAP GUI uses. These rules determine whether or not to show security prompt during critical actions (e.g. when an ABAP code wants to read a local file, download a file from the server to client, or execute a program). Our research revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt,” ERPScan explains.

The security researchers also explain that regsvr32.exe can be used to load DLL files from a remote SMB share and execute DllMain function. To reproduce the flaw, one can compile a DLL file and upload it to a SMB share, create an ABAP program and replace the DllMain path to the share path, then execute the program.

“The attack vector is rather trivial. By exploiting this vulnerability, an attacker can force all the SAP GUI clients within a company to automatically download a malware that locks workstations and demand money in exchange to regain control of their systems. Of note, each client has its own unique payment address, which worsens the situation,” Vahagn Vardanyan, one of the ERPScan researchers who discovered this bug, says.

Responding to a SecurityWeek inquiry, ERPScan’s Darya Maenkova explains that an attacker can create a malicious transaction and then simply compromise the SAP Server to put the transaction into autoloading. She also explains that attackers could use a remotely exploitable vulnerability to compromise the server.

Advertisement. Scroll to continue reading.

“Each time a user logins to the infected SAP server using SAP GUI, the malicious transaction will be executed calling a program on an endpoint that downloads the ransomware. Next time a user tries to run an SAP GUI application, the malicious transaction will be executed and prevent from logging on SAP Server,” Maenkova says.

Once an attacker manages to compromise a system, however, they can execute any command remotely (the command is running with the privileges of the service that executed the command). This means that an attack where a ransom is demanded in exchange of regaining access to the affected systems is only one of the possible scenarios the flaw can abused in. Ransomware, however, remains one of the easiest ways to mass exploit the bug for financial gain.

The good news, however, is that ERPScan isn’t aware of the vulnerability being exploited in the wild. However, affected customers are advised to apply the released patch as soon as possible, as well as to implement “a vulnerability management process to continuously monitor, identify, evaluate, and mitigate vulnerabilities.”

In the case of this SAP GUI vulnerability, however, the patching process is a rather long and laborious operation, because the patch needs to be installed on each and every PC within the network, ERPScan explains.

Related: SAP Patches Five Vulnerabilities in HANA Database Platform

Related: Flaw in PwC Security Tool Exposes SAP Systems to Attacks

Related: Vulnerability Impacts Web-Exposed SAP Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.